概要
c#でlibyaraやってみた。
練習問題やってみた。
練習問題
フォルダを監視して、emotetを検知せよ。
方針
FileSystemWatcherで、フォルダ監視。
yarasharpで、emotet検知
写真
サンプルコード
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Windows.Forms;
using System.Drawing;
using YaraSharp;
namespace YaraSharp
{
public partial class Form1 : Form {
private delegate void SafeCallDelegate(string text);
private FileSystemWatcher watcher = new FileSystemWatcher();
private Button button1;
private TextBox textBox1;
private TextBox textBox3;
private System.Windows.Forms.NotifyIcon notifyIcon1;
public Form1() {
this.Text = "emocheck";
this.button1 = new Button();
this.textBox1 = new TextBox();
this.textBox3 = new TextBox();
this.button1.Location = new System.Drawing.Point(300, 130);
this.button1.Name = "button1";
this.button1.TabIndex = 0;
this.button1.Text = "start";
this.button1.Click += new System.EventHandler(this.button1_Click);
this.textBox1.Location = new System.Drawing.Point(30, 20);
this.textBox1.Multiline = true;
this.textBox1.Name = "textBox1";
this.textBox1.Size = new System.Drawing.Size(300, 50);
this.textBox1.TabIndex = 2;
this.textBox1.Text = @"C:\Users\user\Desktop\iroiro";
this.textBox3.Location = new System.Drawing.Point(30, 200);
this.textBox3.Multiline = true;
this.textBox3.Name = "textBox3";
this.textBox3.Size = new System.Drawing.Size(300, 150);
this.textBox3.TabIndex = 2;
this.textBox3.Text = "";
this.ClientSize = new System.Drawing.Size(400, 400);
this.Controls.AddRange(new Control[] {
this.button1,
this.textBox1,
this.textBox3
});
this.notifyIcon1 = new System.Windows.Forms.NotifyIcon();
this.notifyIcon1.Text = "ic0";
this.notifyIcon1.Visible = true;
this.notifyIcon1.MouseDoubleClick += new System.Windows.Forms.MouseEventHandler(this.notifyIcon1_MouseDoubleClick);
watcher.Created += new FileSystemEventHandler(watcher_Created);
}
private void AddLog(string text) {
if (textBox1.InvokeRequired)
{
var d = new SafeCallDelegate(AddLog);
textBox1.Invoke(d, new object[] {
text
});
}
else
{
textBox3.Text = String.Format("{0}\r\n{1}", text, textBox3.Text);
}
}
private void watcher_Created(object sender, FileSystemEventArgs args) {
string BaseDirectory = Environment.CurrentDirectory;
string yaraRuleFile = Path.Combine(BaseDirectory, "emotet.rule.txt");
try
{
var res = String.Format(@"{0} test", args.FullPath);
AddLog(res);
string yaraInputFile = args.FullPath;
YSInstance yaraInstance = new YSInstance();
using (YSContext context = new YSContext())
{
using (YSCompiler compiler = new YSCompiler(null))
{
compiler.AddFile(yaraRuleFile);
YSReport compilerErrors = compiler.GetErrors();
YSReport compilerWarnings = compiler.GetWarnings();
YSScanner scanner = new YSScanner(compiler.GetRules(), null);
List<YSMatches> Matches = scanner.ScanFile(yaraInputFile);
foreach (var Match in Matches)
{
Console.WriteLine(Match.Rule.Identifier);
}
if (scanner.ScanFile(yaraInputFile).Any(r => r.Rule.Identifier != null))
{
MessageBox.Show("hit");
}
else
{
MessageBox.Show("pass");
}
}
}
}
catch (Exception ex)
{
AddLog(ex.Message);
}
}
private void button1_Click(object sender, EventArgs e) {
if (button1.Text.Equals("監視開始"))
{
watcher.Path = textBox1.Text;
watcher.EnableRaisingEvents = true;
button1.Text = "監視停止";
}
else
{
watcher.EnableRaisingEvents = false;
button1.Text = "監視開始";
}
}
private void Form1_Resize(object sender, EventArgs e) {
if (this.WindowState == FormWindowState.Minimized)
{
this.Visible = false;
notifyIcon1.Visible = true;
}
}
private void notifyIcon1_MouseDoubleClick(object sender, MouseEventArgs e) {
this.Visible = true;
this.WindowState = FormWindowState.Normal;
notifyIcon1.Visible = false;
}
[STAThread]
static void Main() {
Application.Run(new Form1());
}
}
}
以上。